I am investigating impossible travel alert in cloud app security but require a better understanding of how files are "touched" when accessed in O365. If there is documentation about this somewhere that would be great!
For instance, I have an "impossible travel" alert. It shows the following activities:
"AccessFile:" (on SharePoint) from the UK
then at the same timestamp :
"FileAccessedExtended:" (the same file on SharePoint) from Korea
Then "FilePreviewed" from a different IP but also in Korea
Then "Access File:" (same file on Sharepoint) from the UK
Then "Access File" (Diff file on SharePoint but on the same SharePoint file location) from Taiwan
All these activities occur at the same time for the same user. Can anyone help explain/understand this?
That's exactly why the impossible travel alert is getting triggered. You can adjust the threshold on this policy based on how sensitive you want it to be.
"This detection identifies two user activities (is a single or multiple sessions) originating from geographically distant locations within a time period shorter than the time it would have taken the user to travel from the first location to the second, indicating that a different user is using the same credentials."